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Summary 


This document explains the importance of using a privacy notice to educational 
establishments and local authorities. It contains information to explain what a privacy 
notice is, when it should be issued and what information we would expect it to contain. 


It is important to note that this document provides tips and guidance only. It does not 
constitute formal legal guidance, a school / local authority is ultimately responsible 
for its own data protection procedures and compliance with legislation. 


As you will process personal data (personal data is all the data that relates to an 
identified or identifiable living individual) that isn’t solely for use within departmental data 
collections, this information must be expanded and amended to reflect local needs and 
circumstances. 


An example school’s pupil privacy notice is provided at Annex A. Please note this is only 
an example and, as such, is NOT exhaustive and MUST be reviewed and amended to 
reflect the type of school and to meet local circumstances. 


1. The purpose of a Privacy Notice 


The Data Protection Act (2018) sets out in UK law the legal framework with which 
education settings and local authorities must comply when they process the personal 
data. It is based on the EU General Data Protection Regulation (GDPR). 


Providing accessible information to individuals about the use of their personal information 
(data) is a key element of their legal right to transparency as set out in the GDPR Data 
Controllers and Data Processors are responsible for provide this information and all 
education settings and local authorities are classed as data controllers and may also be 
data processors in their own right and, as such, they have a duty to inform pupils, staff 
and parents (known as Data Subjects) on how they process the data that is within their 
control. 


Definitions 


e Data controller - The organisation who (either alone or in common with other 
people) determine the purpose for which, and the way data are processed. 


e Data Processor - A person or organisation who process data on behalf of and on 
the orders of a controller 


e Data Subject — the person about who you are processing data. 


e Data Protection Officer — an officer of the education establishment or local 
authority who is responsible for data protection issues within the organisation. 


e Personal Data is classed as any information which on its own or in conjunction 
with other information available to a Data Controller can identify a Data Subject. 


e Some Personal Data is classed as being part of a special category and if you 
control or process special category you need additional reason to process the 
data. GDPR specifically defines ‘special category’ as data relating to: 


e racial or ethnic origin 

e political opinions 

e religious or philosophical beliefs 

e trade-union membership 

e health or sex life 

e Data relating to criminal offences is also afforded similar special 
protection. 


For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or 
‘processing’ apply to any activity involving the personal data, such as: 


e collecting 


e storing 
e sharing 
e destroying 
Please note: this list is not exhaustive 


The most common way to provide information is through a privacy notice. The privacy 
notice is a document that is used to set out the data controller’s policies in plain and 
simple language how they process the data that is within their control and would be 
expected to meet the requirements outlined in section 2 of this guide. 


As the purpose of the document is to be transparent with how personal data is used, It is 
recommended that the notice is made available on the school website for pupils and 
parents and must be made available or highlighted as part of any data collection process 
at the start of each school year - ensuring it is easily accessible at all times. You may 
also wish to have two different privacy notices explaining the same information, but one 
aimed at parents and the other aimed at children. 


For new staff members it is recommended that the privacy notice is included as part of an 
induction pack and is available on the staff notice board / intranet. Existing staff members 
must be made aware of the privacy notice at the start of each school year. 


Privacy Notices should be reviewed by your data protection officer on at least an annual 
basis and should also be reviewed whenever you make a significant change to how you 
process personal data. 


For more information on privacy notices and the changes required as a result of GDPR, 
please see the ICO (Information Commissioners Office) website: https://ico.org.uk/for- 
organisations/quide-to-data-protection/privacy-notices-transparency-and-control/. 


2. Whata privacy notice should contain 


A good privacy notice will: 


e be written in clear language the data subject will understand 
e be truthful and in no way misleading 
e contain the following sections: 
o Who the Data Controller and Data Processors are 
the categories of data collected / processed (see section 3.1) 
why the data is collected (purpose) (see section 3.2) 
how the data is used (processed) (see section 3.2.1) 
the lawful basis for processing the data (see section 3.2.2) 
how and where the data is stored and how long for, and how security is 
ensured (see section 3.4) 
who / which organisations data is shared with and why (see section 3.5) 
what those organisations will do with the data (see section 3.6) 
o the individual’s rights over their data (including right of access) and how 
they can exercise them (see section 3.7) 
o contact details for the data protection lead (for queries) 
o contact details for the Information Commissioner’s Office in the event the 
data subject wishes to make a compliant 
e highlight any changes made to the way the personal data is processed 
e be easily accessible to pupils / parents / staff 
e Where you are processing special categories of personal data (such are race, 
religion or health details) you need to list the additional lawful basis for that data 


O O O 0 0 


O O 


This list is not exhaustive and settings / local authorities are expected to tailor the notice 
to meet their own business needs — covering any elements that are specific to them. 


3. Suggested wording and layout 


Due to the large number of statutory data collections from schools and local authorities to 
the Department for Education (DfE), we work closely with legal advisors and the ICO to 
maintain several suggested text documents. These documents contain examples of the 
relevant sections required, a proposed format and are available online here: 


https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices. 


The documents must be reviewed and amended to reflect local needs and 
circumstances with the advice of your data protection officer, as you will process data 
that is not solely for use within statutory data collections. Whilst privacy notices should be 
updated as need occurs, best practice suggests an annual review should also be 
undertaken — referring to the latest documentation on GOV.UK as part of the review 
process. 


Where settings wish to know more about privacy notices, the ICO website provides full 


details and can be found at https://ico.org.uk/for-organisations/quide-to-data- 
protection/privacy-notices-transparency-and-control/. 


Using the resources available, settings will be able to establish which elements to include 
within their privacy notice. For more information on the suggested elements, please see 
the following sections and the example school notice at Annex A. 


3.1 Categories of information processed 


You will process many individual data items for your pupils and / or staff members. Under 
GDPR, you are expected to be transparent about which of the categories of information 
that you process. 


Individual data items can be extremely detailed and are unlikely to be used in isolation, 
and therefore if you think them through, it helps to group data items together into data 
item groups. Similarly, with over 1,000 systems in use in the education sector, grouping 
into overarching themes can help provide focus as groups will be used in similar ways 
across the sector. 


As indicated within the Data Protection toolkit for schools, grouping data items about 
pupils into the following areas was found to be the most workable set of data item 
groups: 


e admissions 
e attainment 
e attendance 
e behaviour 
e exclusions 


e personal identifiers, contacts and pupil characteristics 
e identity management/authentication 

e catering and free school meal management 

e trips and activities 

e medical information and administration 

e safeguarding and special educational needs 


Please note: this list is not exhaustive; it must be amended depending on the type of data 
you process (pupil / child or staff). You are also asked to note that some of these will 
included data items which may be classed as a special category of personal data and 
you may need to include additional information about them in your privacy notice. 


Best practice suggests that within your privacy notice, you include the category of data, 
along with an example of the data, to identify to the data subject what types of data fall 
into that category. Examples include: 


e personal identifiers, contacts and characteristics (such as, name, unique pupil 
number, contact details and address) 

e attendance (such as sessions attended, number of absences and reason for 
absence) 

e staff contract information (such as, hours worked, job role and salary information) 

e information relating to episodes of being a child in need (such as referral 
information, assessment information, Section 47 information, Initial Child 
Protection information and Child Protection Plan information) 


Understandably, this list may not capture all data items collected without becoming too 
complicated for people to follow or held at a later point in time. Therefore, it is useful to 
state clearly in the privacy notice that the list is not exhaustive and provide a location 
where a maintained data asset register or current privacy notice can be found. This could 
be on a website or widely accessible noticeboard. 


You must review and amend the suggested text to reflect local needs and circumstances, 
as you will process data that isn’t solely for use within data statutory collections, 
including, for example how you use process data in support of school trips or your social 
media policy for personal data which appears on websites 


3.2 Why personal data is collected 


As an educational setting or local authority, you will collect individual pupil / staff data for 
several reasons. You must state these reasons within your privacy notice. 


Your privacy notice must include: 
e the purposes of the processing, as well as, 


e the lawful basis for processing 


3.2.1 Purpose: 


Best practice suggests listing the purposes of processing in a clear, understandable way 
and, for this type of data, it is enough to state: 


This information is used to: 
e provide the child with an education 
e allocate the correct teaching resource 
e provide any additional support 
e to ensure safety of pupils whilst in your care 


Please note: this list is not exhaustive. 


You should then consider which lawful basis best fits the purposes (see section 3.2.2). 
You might consider that more than one basis applies, in which case you should identify 
and document all of them. 


Schools will also wish to be mindful of the pupil registration regulations, which define the 
information, required to be held in the school’s admissions and attendance registers. 


3.2.2 Lawful basis 


Data subjects need to know which data is being collected on which basis, so they 
understand how to exercise their rights. This is where a layered privacy notice can be 
useful - see 4.1. However, you do not need to list the lawful bases for each category or 
type of data you collect — only for the different purposes that you collect it, which should 
make it more manageable. 


GDPR states that you must include the lawful basis to demonstrate in most cases (apart 
from consent) you may need to demonstrate why processing specific personal data is 
necessary for that task collecting and using personal data. The basis is limited to the 
following list 


(a) Consent: the individual has given clear consent for you to process their personal data 
for a specific purpose. 


(b) Contract: the processing is necessary for a contract you have with the individual, or 
because they have asked you to take specific steps before entering into a contract. 


(c) Legal obligation: the processing is necessary for you to comply with the law (not 
including contractual obligations). 


(d) Vital interests: the processing is necessary to protect someone’s life. 


(e) Public task: the processing is necessary for you to perform a task in the public 
interest or for your official functions, and the task or function has a clear basis in law. 


(f) Legitimate interests: the processing is necessary for your legitimate interests or the 
legitimate interests of a third party, unless there is a good reason to protect the 
individual’s personal data which overrides those legitimate interests. (This cannot apply if 
you are a public authority processing data to perform your official tasks.) 


Where the data processed is a ‘special category’ the following list is required 


(a) the data subject has given explicit consent to the processing of those personal data 
for one or more specified purposes, except where Union or Member State law provide 
that the prohibition referred to in paragraph 1 may not be lifted by the data subject; 


(b) processing is necessary for the purposes of carrying out the obligations and 
exercising specific rights of the controller or of the data subject in the field of employment 
and social security and social protection law in so far as it is authorised by Union or 
Member State law or a collective agreement pursuant to Member State law providing for 
appropriate safeguards for the fundamental rights and the interests of the data subject; 


(c) processing is necessary to protect the vital interests of the data subject or of another 
natural person where the data subject is physically or legally incapable of giving consent; 


(d) processing is carried out in the course of its legitimate activities with appropriate 
safeguards by a foundation, association or any other not-for-profit body with a political, 
philosophical, religious or trade union aim and on condition that the processing relates 
solely to the members or to former members of the body or to persons who have regular 
contact with it in connection with its purposes and that the personal data are not 
disclosed outside that body without the consent of the data subjects; 


(e) processing relates to personal data which are manifestly made public by the data 
subject; 


(f) processing is necessary for the establishment, exercise or defence of legal claims or 
whenever courts are acting in their judicial capacity; 


(g) processing is necessary for reasons of substantial public interest, on the basis of 
Union or Member State law which shall be proportionate to the aim pursued, respect the 
essence of the right to data protection and provide for suitable and specific measures to 
safeguard the fundamental rights and the interests of the data subject; 


(h) processing is necessary for the purposes of preventive or occupational medicine, for 
the assessment of the working capacity of the employee, medical diagnosis, the 
provision of health or social care or treatment or the management of health or social care 
systems and services on the basis of Union or Member State law or pursuant to contract 
with a health professional and subject to the conditions and safeguards referred to in 
paragraph 3; 


(i) processing is necessary for reasons of public interest in the area of public health, such 
as protecting against serious cross-border threats to health or ensuring high standards of 
quality and safety of health care and of medicinal products or medical devices, on the 

basis of Union or Member State law which provides for suitable and specific measures to 
safeguard the rights and freedoms of the data subject, in particular professional secrecy; 


(j) processing is necessary for archiving purposes in the public interest, scientific or 
historical research purposes or statistical purposes in accordance with Article 89(1) 
based on Union or Member State law which shall be proportionate to the aim pursued, 
respect the essence of the right to data protection and provide for suitable and specific 
measures to safeguard the fundamental rights and the interests of the data subject. 


You also need to be aware that your choice of lawful basis may affect the rights of the 
data subjects. 


As required by section 10 of the DPA, the processing meets the requirement in point (b), 
(h), (i) or (j) of Article 9(2) of the GDPR for authorisation by, or a basis in, the law of the 
United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of 
Schedule 1. 


If relying on (b), (h), (i) or (j) of Article 9(2) of the GDPR, identify which condition in DPA 
2018 Schedule 1, Part 1 is met. 





For more information, see the ICO website: https://ico.org.uk/for-organisations/quide-to- 


the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ and the Data 
protection toolkit for schools. 


Within education, we do process some sensitive information about children that is not set 
out in the legislation as a ‘special category personal data’. Notably information about 
children’s services interactions, free school meal status, pupil premium eligibility, 
elements of special educational need information, safeguarding information and some 
behaviour data. We consider it best practice that when considering security and business 
processes about such data, that they are also treated with the same ‘high status’ as the 
special categories set out in law. 


As well as using this information for your own needs, some of your data is also shared 
with other people or organisations , most frequently with the local authority (where 
applicable) to support their business needs and the Department for Education (DfE) due 
to legal obligation / data collection requirements. You may also share for reasons of 
safeguarding or to organise events and trips. 


Data collected specifically for the DfE is required under legislation and this legislation 
meets the collection requirement under the GDPR lawful basis ‘legal obligation’ as to why 
the setting collects this data. Most other data that schools need to collect, besides that for 
which they have a legal obligation, will fall under the lawful basis of ‘public task’. 


Where the lawful basis is legal obligation or public task, you should list any relevant 
legislation that supports the basis of the obligation or task. 


Please note: most of the schools’ processing will not be done on the basis of consent. 
Consent should not be relied upon for any processing essential for a school performing 
public tasks and for data in a learner’s Education Record. 


Where schools collect data on the basis of consent (example — use of pupil photos on 
websites, social media) best practice indicates this should be explained in a separate 
privacy notice covering that type of processing, at the point at which consent is being 
obtained. When you do use consent, you need to ensure you have processes in place to 
immediate cease the processing of personal if the data subject was to withdraw their 
consent. 


3.3 Collection of personal data 


You should explain how you would usually collect information regarding your pupils / 
children / staff members, examples include: 


registration forms 

medication forms 

Common Transfer Files (CTFs) from previous schools 
staff contract information 

child protection plans 


Please note: Where data is collected within a mandatory data collection process, some 
specific items might be voluntary in nature. This must be drawn to the attention of the 
parent / guardian / staff member at the point of collection to comply with data protection 
legislation. 


Where an individual has declined to provide voluntary data items that are lawfully shared 
with the Department, it is not possible for that individual to opt out of the whole DfE 
specified data collection, however the fields they have declined to provide should be 
returned using the code ‘refused’. This applies to certain items of personal data which 
must be self-declared by the data subject (for example, ethnicity). 


Some key information may be required as it is considered ‘essential for school / local 
authority operational use’. An example being, parental contact information — It is not 
mandatory, but it is essential. You may wish to highlight this at the point of collection. 


3.4 Storing personal data 


To comply with data protection legislation, you must clearly define your individual data 
retention (how long you keep the information) and data security policies. As different 
types of data are held in school and local authority systems for different timescales, you 
can attach a document or link to your website for more information. 


More information on data retention is available in the Department's Data Protection toolkit 
for schools document. Some data may need to be kept for a minimum period for legal 
purposes for example if it relates to financial decisions. 


3.5 Who data is shared with 


We would expect you to list all instances of routine data sharing. This is data shared on a 
regular basis. Any instances of one off transfers or ad-hoc requests do not need to be 
listed, however; any such sharing must also have a lawful reason. 


You need to list the organisation whom you are sharing the information with, the lawful 
basis on which you are sharing personal data and the frequency. 


3.6 Why data is shared 


This section allows you to expand on why you routinely share information with the list of 
named recipients. Use this section to list the reasons for sharing and any relevant 
legislation that allows the sharing of the data. 


Please note: Schools and local authorities are data controllers in their own right and 
should make the decisions as to whether they share personal data with other 
organisations. Please always ensure there is a clear business need, relevant lawful 
reason and your local data protection officer is in support of the data sharing. 


With regard to statutory data collections to the DfE, best practice indicates you state the 
relevant legislation for each data collection you participate in: each data collection or 
census guide contains the current legislation detailing the lawful basis for collection 
https://www.gov.uk/education/data-collection-and-censuses-for-schools , You can also 
link to the privacy notice for National Pupil Database which outlines what the department 
do with the data. 


To satisfy data subjects, it is also useful to include information on how data is transferred 
and provide links to data retention policies of the recipient where relevant / available. 


3.7 Requesting access to personal data and contact 
information 


Under data protection legislation, parents, pupils and staff have the right to request 
access to information about them that you hold. They may also have the right (depending 
on the lawful basis) to: 


e object to processing of personal data that is likely to cause, or is causing, damage 
or distress 

e prevent processing for the purpose of direct marketing 

e object to decisions being taken by automated means 

e in certain circumstances, have inaccurate personal data rectified, blocked, erased 
or destroyed; and 

e aright to seek redress, either through the ICO, or through the courts 


You should state how they would request such data from you. Ensuring you provide 
details for your administrator / local data protection officer. 


A privacy notice must mention the right to complain to the ICO. It is advisable to include a 
link to the ICO concerns page as a further contact point where a complaint in relation to 
the processing of personal data cannot be resolved locally - https://ico.org.uk/concerns/ 


If a child is considered too young to exercise their rights, a parent or carer may act on 
their behalf, but the establishment will need to consider the best interests of the child 
before responding. For more information about responding to subject access requests 
raised on behalf of children please refer to the ICO website (https://ico.org.uk/for- 
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation- 
gdpr/individual-rights/right-of-access/#13) 


3.8 How the government uses personal data 


This section is intended to further advise pupils, parents and staff members why their 
data is shared with the Department and what happens to it following that transfer. 


The Department for Education (DfE) collects personal data from educational settings and 
local authorities via various statutory data collections. Each data collection or census 
guide contains the legislation detailing the lawful basis for collection: 


https://www.gov.uk/education/data-collection-and-censuses-for-schools 


This data is used for many purposes, with some of the main functions being: 


e school and local authority funding, which is calculated based upon the numbers of 
children and their characteristics in each setting 

e informing education policy monitoring and school accountability and intervention 
(for example, school GCSE results or Pupil Progress measures) 

e supporting ‘longer term’ research and monitoring of educational policy (for 
example how certain subject choices go on to affect education or earnings beyond 
school) 


It is advisable where possible to provide links to the departmental pages on this subject 
and not replicate the information to ensure that you always provide up to date information 
to the data subjects. 


3.8.1 National Pupil Database (NPD) 


A section on NPD has been added to the suggest texts at the request of the ICO to 
further explain where, and how, the DfE holds a large proportion of data. 


Much of the data about pupils in England is held by the DfE in the NPD. It is stored in 
electronic format for statistical purposes. The information is used by the DfE for 
longitudinal studies of educational performance and by the Education and Skills Funding 
Agency (ESFA) to determine funding. 


3.8.2 Sharing by the Department 


This information explains that third parties can request access to the data directly from 
the Department. It is typically more efficient for these organisations to access centrally 
held data in the first instance rather than contact individual schools / local authorities 
directly. 


The law allows the Department to share personal data with certain third parties, including 
those fighting or identifying crime (such as the Home Office and Police). 


For information about which organisations the Department has provided pupil 
information, (and for which project), please visit the following website: 


https://www.gov.uk/government/publications/dfe-external-data-shares 


3.8.3 Sharing by the Local Authorities 


This information explains that information may be requested by local authorities to be 
shared with third parties in support of the provision of their wider education obligations, 
such are the processing of Fair Access Panels. 


These may be considered occasional requests and the local authority will need to provide 
assurance to the Data Controller of who they share the data with, their lawful basis and 
the security controls and retention periods. 


4. Privacy notice options 
4.1 Layered approach 


You always need to ensure that privacy notices are easy to read and follow. Although the 
format of the privacy notice is determined by the educational setting / local authority and, 
where the notice appears ‘too long’, it is acceptable to change the format to a layered 
approach. 


This is whereby the key information is present in the notice with other important 
information readily available elsewhere such as your website or an accessible 
noticeboard. 


4.2 Child friendly notice 


The suggested text documents have been produced on the understanding that they are 
to be read by older pupils, parents / guardians and staff members. There is no minimum 
age in England when children are considered competent with respect to the Data 
Protection Act, this is completed on a case by case basis. 


For children who are unable to read or understand their data protection rights 
documentation, we would expect the parent / guardian to act on behalf of their child with 
respect to the notice - as they may do with a subject access request. However, where 
you feel it is of benefit to your establishment or local authority, you may wish to create 
child friendly version. This can be useful when teaching children about personal data. 


ICO guidance on children and the GDPR can be found here https://ico.org.uk/for- 
organisations/quide-to-the-general-data-protection-regulation-gdpr/applications/children/ 


Example school privacy notice 
Annex A — Example school privacy notice 


This is a non-exhaustive example of a school privacy notice — this must be amended to 
suit local business needs and circumstances. The amendment of this example must 
cover all data processed by the school. 


Privacy Notice (How we use pupil information) 


Who is responsible for this information? Anytown Academy is 
the Data Controller for the use of personal data in this privacy 
notice 


The categories of pupil information that we process include: 


e personal identifiers and contacts (such as name, unique pupil number, contact 
details and address) 

e characteristics (such as ethnicity, language, and free school meal eligibility) 

e safeguarding information (such as court orders and professional involvement) 

e special educational needs (including the needs and ranking) 

e medical and administration (such as doctors’ information, child health, dental 
health, allergies, medication and dietary requirements) 

e attendance (such as sessions attended, number of absences, absence reasons 
and any previous schools attended) 

e assessment and attainment (such as key stage 1 and phonics results, post 16 
courses enrolled for and any relevant results) 

e behavioural information (such as exclusions and any relevant alternative provision 
put in place) 


This list is not exhaustive, to access the current list of categories of information we 
process please see [link to website] 


Why we collect and use pupil information 


The personal data collected is essential, for the school to fulfil their official functions and 
meet legal requirements. 


We collect and use pupil information, for the following purposes: 


a) to support pupil learning 

b) to monitor and report on pupil attainment progress 

c) to provide appropriate pastoral care 

d) to assess the quality of our services 

e) to keep children safe (food allergies, or emergency contact details) 

f) to meet the statutory duties placed upon us by the department for education 


Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for 
processing pupil information are: 


e for the purposes of (a), (b), (c) & (d) in accordance with the legal basis of Public 
task: collecting the data is necessary to perform tasks that schools are required to 
perform as part of their statutory function 

e for the purposes of (e) in accordance with the legal basis of Vital interests: to keep 
children safe (food allergies, or medical conditions) 

e for the purposes of (f) in accordance with the legal basis of Legal obligation: data 
collected for DfE census information 

o Section 537A of the Education Act 1996 

o the Education Act 1996 s29(3) 

o the Education (School Performance Information)(England) Regulations 
2007 
regulations 5 and 8 School Information (England) Regulations 2008 
the Education (Pupil Registration) (England) (Amendment) Regulations 
2013 


In addition, concerning any special category data: 


e Inthe case of ethnicity and fingerprint information: condition a: the data subject has 
given explicit consent to the processing of those personal data for one or more specified 
purposes, except where Union or Member State law provide that the prohibition referred to in 
paragraph 1 may not be lifted by the data subject. 


Collecting pupil information 


We obtain pupil information via registration forms at the start of each academic year. In 
addition, when a child joins us from another school, we are sent a secure file containing 
relevant information. 


Pupil data is essential for the schools’ operational use. Whilst most of the pupil 
information you provide to us is mandatory, some of it is provided to us on a voluntary 
basis. In order to comply with GDPR we will inform you at the point of collection, whether 
you are required to provide certain pupil information to us or if you have a choice in this 
and we will tell you what you need to do if you do not want to share this information with 
us 


Storing pupil data 


We hold pupil data securely for the set amount of time shown in our data retention 
schedule. For more information regarding our data retention schedule and how we keep 
your data safe, please visit [link to website] 


Who we share pupil information with 


We routinely share pupil information with: 


school that the pupil attends after leaving us 
our local authority 

youth support services (pupils aged 13+) 
the Department for Education (DfE) 

Local Authorities 


Why we routinely share pupil information 


We do not share information about our pupils with anyone without consent unless the law 
and our policies allow us to do so. 


Youth support services 
Pupils aged 13+ 


Once our pupils reach the age of 13, we also pass pupil information to our local authority 
and / or provider of youth support services as they have responsibilities in relation to the 
education or training of 13-19 year olds under section 507B of the Education Act 1996. 


This enables them to provide services as follows: 


e youth support services 
e careers advisers 


A parent or guardian can object to any information in addition to their child’s name, 
address and date of birth being passed to their local authority or provider of youth 
support services by informing us. This right is transferred to the child / pupil once they 
reach the age 16 


Pupils aged 16+ We will also share certain information about pupils aged 16+ with our 
local authority and / or provider of youth support services as they have responsibilities in 
relation to the education or training of 13-19 year olds under section 507B of the 
Education Act 1996. 


This enables them to provide services as follows: 


e post-16 education and training providers 
e youth support services 
e careers advisers 


A child / pupil once they reach the age of 16 can object to only their name, address and 
date of birth is passed to their local authority or provider of youth support services by 
informing us. 


Data is securely transferred to the youth support service via a secure file transferring 
system and is stored within local authority software. 


For more information about services for young people, please visit our local authority 
website [link to website] 


Department for Education 


We are required to share information about our pupils with the Department for Education 
(DfE) either directly or via our local authority for the purpose of data collections, under: 


e Section 537A of the Education Act 1996 


e the Education Act 1996 s29(3) 

e the Education (School Performance Information)(England) Regulations 2007 
e regulations 5 and 8 School Information (England) Regulations 2008 

e the Education (Pupil Registration) (England) (Amendment) Regulations 2013 


All data is transferred securely and held by DfE under a combination of software and 
hardware controls, which meet the current government security policy framework. 


For more information, please see ‘How Government uses your data’ section. 
Local Authorities 


We may be required to share information about our pupils with the local authority to 
ensure that they can conduct their statutory duties under 


e the Schools Admission Code, including conducting Fair Access Panels. 


Requesting access to your personal data 


Under GDPR, parents and pupils have the right to request access to information about 
them that we hold. To make a request for your personal information, or be given access 
to your child’s educational record, contact Mrs Data Protection Officer on 0123 456789 or 


email data.protection@ourschool.com 


Depending on the lawful basis above, you may also have the right to: 


e object to processing of personal data that is likely to cause, or is causing, damage 
or distress 

e prevent processing for the purpose of direct marketing 

e object to decisions being taken by automated means 

e in certain circumstances, have inaccurate personal data rectified, blocked, erased 
or destroyed; and 

e aright to seek redress, either through the ICO, or through the courts 


If you have a concern about the way we are collecting or using your personal data, you 
should raise your concern with us in the first instance or directly to the Information 
Commissioner's Office at https://ico.org.uk/concerns/ 


Withdrawal of consent and the right to lodge a complaint 
Where we are processing your personal data with your consent, you have the right to 


withdraw that consent. If you change your mind, or you are unhappy with our use of your 
personal data, please let us know by contacting Mrs Data Protection Officer on 0123 


456789 or email data.protection@ourschool.com 
Last updated 


We may need to update this privacy notice periodically, so we recommend that you 
revisit this information from time to time. This version was last updated on 21 June 2019 


Contact 
If you would like to discuss anything in this privacy notice, please contact: 


e Mrs Data Protection Officer on 0123 456789 or email 
data.protection@ourschool.com 


e Our local authority (website link) 


How Government uses your data 
The pupil data that we lawfully share with the DfE through data collections: 


e underpins school funding, which is calculated based upon the numbers of children 
and their characteristics in each school. 

e informs ‘short term’ education policy monitoring (for example, school GCSE results 
or Pupil Progress measures). 

e supports ‘longer term’ research and monitoring of educational policy. (for example, 
how certain subject choices go on to affect education or earnings beyond school) 


Data collection requirements 


To find out more about the data collection requirements placed on us by the Department 
for Education (for example; via the school census) go to 


https://www.gov.uk/education/data-collection-and-censuses-for-schools 


The National Pupil Database (NPD) 


Much of the data about pupils in England goes on to be held in the National Pupil 
Database (NPD). 


The NPD is owned and managed by the Department for Education and contains 
information about pupils in schools in England. It provides invaluable evidence on 
educational performance to inform independent research, as well as studies 
commissioned by the Department. 


It is held in electronic format for statistical purposes. This information is securely 
collected from a range of sources including schools, local authorities and awarding 
bodies. 


To find out more about the NPD, go to 


https://www.gov.uk/government/publications/national-pupil-database-user-quide-and- 
supporting-information. 


Sharing 


The law allows the Department to share pupils’ personal data with certain third parties, 
including: 


e schools 

e local authorities 

e researchers 

e organisations connected with promoting the education or wellbeing of children in 
England 

e other government departments and agencies 

e organisations fighting or identifying crime 


For more information about the Department's NPD data sharing process, please visit: 


https://www.gov.uk/data-protection-how-we-collect-and-share-research-data 


Organisations fighting or identifying crime may use their legal powers to contact DfE to 
request access to individual level information relevant to detecting that crime. Whilst 
numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per 
year to the Home Office and roughly 1 per year to the Police. 


For information about which organisations the Department has provided pupil 
information, (and for which project) or to access a monthly breakdown of data share 
volumes with Home Office and the Police please visit the following website: 


https://www.gov.uk/government/publications/dfe-external-data-shares 

How to find out what personal information DfE hold about you 
Under the terms of the Data Protection Act 2018, you are entitled to ask the Department: 
if they are processing your personal data 

for a description of the data they hold about you 


the reasons they’re holding it and any recipient it may be disclosed to 
for a copy of your personal data and any details of its source 


If you want to see the personal data held about you by the Department, you should make a 
‘subject access request’. Further information on how to do this can be found within the 
Department's personal information charter that is published at the address below: 


To contact DfE: https://www.gov.uk/contact-dfe 


Annex B - Errata 




















Guidance strengthened. 
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